Time Stamp Signer
The signer has the class name: org.signserver.server.signers.TimeStampSigner.
Overview
The time stamp server generates time stamp tokens and supports the following options:
- Set of accepted policies
- Set of accepted algorithms
- Set of accepted extensions
- Accuracy microseconds
- Accuracy milliseconds
- Accuracy seconds
- Included certificate chain (currently doesn't include CRLs)
- Ordering
- TSA name
Time-stamp requests are served through a HTTP(S) service at the URL:
http://<host name>/signserver/process?workerId=<worker Id>
The time-stamp signer requires a time-stamp certificate with the extended key usage time-stamp only. The extended key usage extension must be critical.
If the time-stamp request contains a nonce value, this value will also be included in the time-stamp token.
Available Properties
Property | Description |
---|---|
TIMESOURCE | Property containing the fully qualified name of the class implementing the ITimeSource that should be used (OPTIONAL). Below are the built-in TimeSourceS available: org.signserver.server.LocalComputerTimeSource This is the default TimeSource and uses the time from the local computer and always returns the time. |
org.signserver.server.StatusReadingLocalComputerTimeSource Worker properties:
| |
SIGNATUREALGORITHM | Property specifying the algorithm used to sign the timestamp. Default: SHA256withRSA. |
ACCEPTEDALGORITHMS | A ';' separated string containing accepted algorithms. Can be null if it should not be used. OPTIONAL but strongly recommended. Supported Algorithms are: GOST3411, MD5, SHA1, SHA224, SHA256, SHA384, SHA512, RIPEMD128, RIPEMD160, RIPEMD256. |
ACCEPTEDPOLICIES | A ';' separated string containing accepted policies. Note that only policies listed in this property are allowed to be requested. If the property does not contain any policies, then no policy can be requested. Requests not including any policy will use the default policy regardless of this property, but requests explicitly requesting the default policy will still not be allowed unless listed in this property. If this property is used, ACCEPTANYPOLICY cannot be set to true. OPTIONAL, recommended. |
ACCEPTANYPOLICY | If set to true, allow any policy. If set to true, ACCEPTEDPOLICIES cannot be set. Optionally, this can be set to false or left empty when setting ACCEPTEDPOLICIES. |
ACCEPTEDEXTENSIONS | A ';' separated string containing accepted extensions, can be null if it should not be used. OPTIONAL. |
DEFAULTTSAPOLICYOID | The default policy ID of the time stamp authority. REQUIRED, if no policy OID is specified in the request, then will this value be used. |
ACCURACYMICROS | Accuracy in microseconds as an integer, can be combined additively with ACCURACYMILLIS and ACCURACYSECONDS. OPTIONAL. |
ACCURACYMILLIS | Accuracy in milliseconds as an integer, can be combined additively with ACCURACYMICROS and ACCURACYSECONDS. OPTIONAL. |
ACCURACYSECONDS | Accuracy in seconds as an integer, can be combined additively with ACCURACYMICROS and ACCURACYMILLIS. OPTIONAL. |
ORDERING | The ordering (OPTIONAL), default false. Only false is supported. |
INCLUDEORDERING | If set to true, always include the ordering attribute, even when ORDERING is set to false. It is not allowed to set this to false when ORDERING is set to true, default is false. OPTIONAL. |
TSA | General name of the Time Stamp Authority. OPTIONAL. |
TSA_FROM_CERT | Setting this property to true sets the general name of the Time Stamp Authority to the subject DN of the signing certificate. This cannot be set to true if the TSA property is set. OPTIONAL, default is to not set the general name. |
REQUIREVALIDCHAIN | Set to true to perform an extra check that the SIGNERCERTCHAIN only contains certificates in the chain of the signer certificate. OPTIONAL, default false. |
MAXSERIALNUMBERLENGTH | The maximum size (in bytes) used when generating serial numbers, must be between 8 and 20 (64 - 160 bits) (Default: 8). The generated serial number will always be positive (so the sign bit is always a zero). |
WORKERLOGGER | As for other workers this property can be used to specify which worker logger to use. By default, the DefaultTimeStampLogger is used. |
INCLUDESTATUSSTRING | Specifies if the status string is to be included in the response. Setting this to true triggers a bug in some versions of OpenJDK's jarsigner utility, default is false. OPTIONAL. |
INCLUDE_CERTID_ISSUERSERIAL | Specifies if the signingCertificate (or signingCertificateV2) attribute's ESSCertID should include the issuer and serial number in addition to the certificate hash. Default is true. |
INCLUDESIGNINGTIMEATTRIBUTE | Specifies if the signingTime signed CMS attribute should be included in the response, default is true. OPTIONAL. |
INCLUDECMSALGORITHMPROTECTATTRIBUTE | Specifies if the cmsAlgorithmProtect (RFC#6211) signed attribute should be included in the response, default is true. OPTIONAL. |
CERTIFICATE_DIGEST_ALGORITHM | Specifies the digest algorithm used for calculating the digest of the signing certificate. Supported values are: SHA1, SHA224, SHA256, SHA384, SHA512. When using an algorithm other than SHA1, RFC 5816-compliant time stamps will be issued. To get the old behavior (with the ESSCertID attribute instead of ESSCertIDv2), SHA1 must be set explicitly. Default: SHA256. |
LEGACYENCODING | As of SignServer 4.0, the encoding of the time-stamp tokens has changed. One consequence is that the order of the certificates in the output might not be the same as in the certificate chain due to the DER encoding and the fact that the certificates field is a set and thus not ordered. To restore the old behavior, set LEGACYENCODING=true. Default is false. OPTIONAL. |
VERIFY_TOKEN_SIGNATURE | Specifies if the timestamp token signature is to be validated after signing. Signing fails if validation is not successful. Default is true. |
Certificate Requirements
- Specifying a signer certificate is required as information from that certificate will be used to indicate which signer signed the time-stamp token.
- The signer certificate chain contains all certificates included in the token if the client requests the certificates.
- The signer certificate MUST be included in the configured certificate chain. Other certificates might also be included in the chain (typically intermediate CA certificates). However, if REQUIREVALIDCHAIN=true is specified, only the signer certificate, directly followed by its issuer and then the issuer's issuer and so on, is allowed. All certificates will be verified if there is a certificate coming after it. No check is made that the last certificate is a root certificate as that certificate is usually not included.
- A time-stamp signer certificate must have the extended key usage extension present and marked as critical.
- The extended key usage extension must contain the timeStamping key purpose ID and only that one.